DEV Community: Adrian Alexandru Stinga

The Dark Web Is Already Building Sovereign AI's Next Battlefield. Europe Is Still Debating It. ( We need to move faster )

Adrian Alexandru Stinga — Sun, 21 Jun 2026 14:26:51 +0000

While Europe Regulates, the Dark Web groups Are Already Recruiting the Next Generation of AI Weapons Specialists

The sovereign AI race is not a competition Europe can prepare for. It is a competition Europe is already inside.

I have spent nearly two decades monitoring dark web ecosystems forums, Telegram channels, encrypted messaging groups tracking how adversarial networks recruit, organise, and operate. Over the past eighteen months, I have watched something shift that I believe European policymakers need to hear about, even if it makes them uncomfortable.

The underground is recruiting AI specialists.

Not in the abstract. Not as a future risk. Right now, across Russian/Chinese-language and English-language underground forums and Telegram channels, groups aligned with multiple state interests are actively recruiting three categories of talent: deepfake production specialists who can generate synthetic video and clone voices, AI-assisted fraud specialists who can weaponise large language models for social engineering, and AI infrastructure operators who can deploy and fine-tune models outside regulated cloud environments on grey-market servers, stripped of safety guardrails.

The recruitment follows patterns I have documented extensively across 80+ published intelligence reports. Trusted community members make the approach. The framing is peer opportunity, not recruitment. The people being recruited often do not know who is ultimately directing or funding the work. The pipeline is operational. The specialists are being onboarded. The tools they will build are months from deployment.

This is what the sovereign AI race actually looks like from the inside.

Europe Is Not Losing. Europe Is Late.( They can Win )

The distinction matters. Losing implies the game is over. Late implies there is still time but not much. Over the past twelve months, European signals on sovereign AI have been encouraging. France has Mistral. Germany is building sovereign cloud and the LEAM initiative. Multiples companies are building sovereign platform designed for NATO-aligned government use. At least two major European intelligence services have begun departing from US-owned AI platforms a signal that sovereignty has moved from policy preference to operational requirement.

But encouraging signals are not deployed capability. And deployed capability is what the moment demands.

The Three Races Europe Is Running Simultaneously

The conventional framing puts Europe third behind the US and China in AI. That framing is correct for one race and wrong for two others.

Frontier model development. Europe is third and falling. Mistral is competitive at the mid-tier, but no European lab is in the frontier race with OpenAI, Anthropic, Google,Z.ai, or DeepSeek. The good news: Europe does not need to win this race. It needs to ensure it can deploy sovereign instances of competitive models open-source or licensed on European-controlled infrastructure.

Defence and intelligence AI deployment. This is the race that matters most, and it is the race where Europe is furthest behind. Most European defence and intelligence agencies are years behind the US in integrating AI into analytical workflows, threat detection, and decision support. NATO has strategic documents but no deployed AI capability at scale. The gap is not about model quality. It is about deployment speed.

AI-enabled hybrid warfare. This is the race Europe is actively losing on the defensive side. From what I observe directly, adversary-aligned groups are deploying AI for disinformation, deepfakes, and automated social engineering faster than Europe is deploying AI to detect and counter these tools. The dark web recruitment pipeline I described at the opening of this article is the production capacity for this capability.

Russia's Weakness Is the Window

Russia's position in the AI competition is simultaneously behind in development, crippled by sanctions on compute access, and increasingly dependent on Chinese AI technology. The combination creates a window for Europe that is strategically significant and temporally limited.

Russia cannot currently train frontier AI models domestically. GPU access is severely constrained. The best Russian AI talent is leaving. On the development dimension, Europe is ahead.

But Russia is not behind on the weaponisation dimension. Russia has consistently demonstrated the ability to deploy imperfect tools effectively in disinformation, in election interference, in hybrid warfare. The dark web specialist recruitment I observe is accelerating precisely this capability. Russia does not need the best AI. It needs AI that is good enough to generate convincing deepfakes, automate social engineering at scale, and produce synthetic content faster than fact-checkers can respond.

The window exists because Russia's development weakness is temporary. Chinese technology transfer is already partially mitigating the compute shortage. Within three to five years, the gap could close. China's patience in cultivating AI partnerships with European states particularly in Central and Eastern Europe and the Balkans, where the EU is not offering alternatives is structural and long-term.

The time to act is now. Not next year. Not after the next funding cycle. Now.

The AI Act Paradox

The EU AI Act is the most significant AI regulatory framework in the world. It is also, in its current implementation, a potential brake on the deployment speed that Europe's security situation demands.

The paradox is real: the Act's compliance requirements slow innovation and raise costs for European AI developers, but its sovereignty-forcing effects push European institutions toward domestic AI solutions they would not have chosen under pure market incentives. The Act helps and hinders simultaneously.

What I expect to see and this is a prediction I am willing to commit to publicly is a two-speed Europe. Western European states will implement AI Act requirements conservatively, slowing defence AI deployment. Central and Eastern European states, facing more immediate security threats on the Eastern Flank, will interpret the same requirements pragmatically and deploy faster or slower ( depends on the activity on the Ukrainean front + each country politics )

This two-speed dynamic is not necessarily a problem. It could be a strategic asset if the EU designs a framework that channels CEE deployment speed into coordinated capability rather than treating it as non-compliance.

Deploy Now. Perfect Later.

The central argument of this analysis is uncomfortable for the European policy temperament: deploy imperfect AI tools into defence and intelligence now, rather than waiting for perfect European-built models that will arrive too late.

The adversary is not waiting for perfect tools. From what I observe directly in underground ecosystems, AI-enabled hybrid warfare tools are being developed and tested today. They are imperfect. They are deployed anyway. Their imperfection does not prevent them from being operationally effective.

Europe's standard defence procurement cycle takes three to five years. The dark web recruitment-to-deployment cycle for an AI specialist takes three to five months. The asymmetry is structural. It cannot be closed through faster procurement alone. Europe must deploy what is available now on sovereign infrastructure, under European control while developing what will be needed next.

The Polish S-AI model represents the right philosophy: sovereign, state-exclusive, designed for rapid integration, iterated on capability rather than waiting for perfection. Whether that specific model succeeds or fails, the design principle is correct.

Four Things I Expect to See by Mid-2027

Based on what I observe directly and on the structural dynamics described in this analysis:

One. AI Act enforcement will produce a visible two-speed Europe compliant West, pragmatic CEE.

Two. China will offer AI technology partnerships to at least two CEE or Balkan states, filling gaps the EU is leaving open.

Three. The first documented case of AI-generated deepfake content used by a state-aligned actor to influence a European election campaign. The dark web pipeline I described is the production capacity. The capability is months away, not years.

Four. NATO will establish a formal AI integration doctrine by mid-2027 imperfect, late, but necessary as the institutional framework for what should already be happening.

The Window

The sovereign AI window is measured in months, not years. Russia's weakness is temporary. China's patience is not. While European policymakers debate regulatory timelines and funding mechanisms, the underground is already building the workforce for the next generation of AI-enabled hybrid warfare.

The connection between sovereign AI policy and dark web recruitment is deeper than most people in Brussels want to admit. The policy debate and the operational reality are not happening on the same timeline. The policy debate operates in fiscal years. The operational reality operates in Telegram channels.

Europe does not need to beat the United States or China in AI. It needs to ensure it is never dependent on either and that it stays decisively ahead of Russia. That is achievable. Everything else is aspiration.

But it requires acting now. Not after the next white paper. Now.

The full analytical report at Horizon Briefings on aether intel — SAI-2026-001: Europe's Sovereign AI Window — is available as a free TLP:CLEAR download at [aether-intel.com]. It includes detailed national landscape assessments, dark web recruitment indicators, MITRE-mapped threat analysis, and specific policy recommendations.

This article draws on nearly two decades of direct dark web HUMINT monitoring and on 80+ published intelligence reports across the AS-CTI-2026, OBSIDIAN-TRACE, GREY NEXUS, and Sovereign AI series + Europe Through 2028 series. No individuals are identified. No classified intelligence is cited.

Adrian Alexandru Stîngă is the founder and Lead Analyst at Aether Intel, an independent cyber threat intelligence operation based in Brașov, Romania.

SovereignAI #EuropeanSecurity #CyberSecurity #ArtificialIntelligence #ThreatIntelligence #HybridWarfare #NATOSecurity #EUAIAct #DarkWeb #HUMINT #DeepFake #Disinformation #EasternFlank #CyberThreats #InfoOps #OSINT

Intelligence Brief: The Disinformation Machine

Adrian Alexandru Stinga — Wed, 17 Jun 2026 06:33:59 +0000

The Disinformation Supply Chain: How Coordinated Influence Campaigns Are Built Before They Go Viral

Article from Digital HUMINT Series, For better understanding read the full report

Right now, somewhere on X/forum people are fighting about a post that feels real raw, emotional, perfectly worded to hit a nerve. It has the right language, the right anger, the right timing. It sounds like someone who thinks exactly the way you do, or exactly the way you hate.

It wasn't written there. It wasn't written today. And the person who wrote it doesn't care about the issue at all.

That post was created two or three days earlier, on a hidden forum or a private chat group, following a set of instructions that described who to target, what emotions to trigger, which platform to use, and how much the job pays. By the time you see it, the operation has already worked. You engaging with it for or against is the whole point.

I've spent almost two decades watching these hidden spaces where online manipulation is planned. What I've learned isn't that fake content exists everyone knows that by now. What most people don't realize is that it works like a factory. There's a production line. There are workers, managers, and paychecks. And just like any factory, if you know where to look, you can see the product being assembled before it ever reaches the shelf.

It Works Like Any Other Business
We talk about "disinformation campaigns" as if they're political movements. Some are. But more and more, what you're actually looking at is a business with four steps, each handled by different people, often in different countries.

Step 1 — Someone writes the plan. A person with a goal and a budget writes a document that says: push this story, target these kinds of people, make them feel this emotion, use this language, post it on these platforms. These plans used to appear on hidden internet forums. Many have moved to private Telegram groups, but the structure hasn't changed since I first saw it in 2014.

Step 2 — Someone hires the workers. Job ads appear on hidden forums looking for people with real-looking social media accounts, willing to post about specific topics, in specific countries, for cryptocurrency payment. These ads are surprisingly open about what the job involves. They list the platform, the country, the topic, how many posts per day, and the pay anywhere from $20 to $200 per post.

Step 3 — The content goes live. Multiple accounts post similar content within a short window, dropping it into the right online communities. This is the moment it becomes visible to the public.

Step 4 — It spreads. Paid accounts boost the content. Automated accounts pile on. And then real people people who genuinely agree with the message start sharing it because it feels true. At that point, the operation runs on its own. The people sharing it have no idea it was manufactured.

The person who wrote the plan, the person who wrote the post, the person who published the post, and the person who shared it are four different people. Often living in four different countries.

The 48 Hours Nobody Is Watching
Here's the part that should bother everyone: the best chance to stop one of these operations is not after the content appears on your feed. It's in the two or three days before it appears while the plan is being written, the workers are being hired, and the content is being prepared.

During that window, the whole operation is visible to anyone watching the right places. The plan exists. The job ads are posted. People are being recruited and paid. The network that will spread the content has been told what's coming. Everything is ready, but nothing has been published yet.

Once that window closes, it's too late for prevention. You're just trying to clean up the mess while more content keeps coming. And that's exactly what most organizations tasked with fighting this problem are doing they're watching social media for fake content after it's already out there. They're looking at the finished product, not the factory.

The job ads alone tell you almost everything you need to know. An ad looking for English-speaking accounts, focused on election-related content, targeting a specific country, paying in cryptocurrency, posted a few weeks before an election that's not hard to interpret. It's a clear warning sign with specific details about what's coming. The challenge isn't understanding what it means. The challenge is that almost nobody is looking at the forum where it was posted.

What I Saw Change Over 12 Years — and What Stayed the Same
I first saw this system in action during the 2014–2015 period, monitoring hidden forums connected to the conflict in Eastern Ukraine. The instructions were crude open messages telling people what to post, where, and to whom. The people posting these instructions didn't think anyone outside their circle was reading them.

What surprised me then, and still surprises me now, is that the basic system hasn't changed in twelve years. The steps are the same. The timing is the same. The logic is the same.

What has changed is the tools. AI now writes content that used to take human writers hours. Cryptocurrency replaced bank transfers, making payments harder to trace. Telegram replaced some of the old forums for planning. TikTok got added to the list of target platforms. The factory is the same it just has better equipment.

The one change that actually makes a difference is that the planning stage has partly moved from open forums to private chat groups. Forums, even hidden ones, can be monitored by anyone who gains access. Private groups are much harder to watch. But the hiring stage — the job ads looking for people to post — still happens on forums, because you need to reach a wide pool of workers. That part of the process is still visible if you know where to look.

What This Means for You
If you're just someone who uses social media which is most of us the takeaway is simple. The content that triggers your strongest reaction, that perfectly matches your frustration or your fear, that sounds like someone finally saying what everyone is thinking that content may have been designed to feel exactly that way. Not by an algorithm. By a person with a plan and a budget, who identified people like you as the target and your specific worry as the way in.

It doesn't mean every post that makes you angry is fake. It means the posts that feel the most perfectly crafted to push your buttons deserve a second look. A pause. A moment of asking: who benefits if I share this right now?

The factory is real. The production line is running. And by the time you're arguing about the product on your timeline, the person who ordered it has already moved on to the next batch.

This short article is part of my Digital HUMINT Series.

This article is based on findings from report OT-045, "The Disinformation Supply Chain," published by Aether Intel (aether-intel.com). The full report includes the complete production-line framework, technical mapping, detection methods, and twelve years of evolution analysis. Available for free at aether-intel.com.

By the Time You See the Attack, You're Already Late

Adrian Alexandru Stinga — Mon, 15 Jun 2026 05:59:51 +0000

This Article is part of Europe Through 2028 Part Two

Europe eastern frontier isn’t facing a wave of infrastructure attacks. It’s facing something harder to see and harder to stop: access being built and held in reserve, ahead of 2028.
There’s a particular kind of threat that doesn’t show up in incident reports, because nothing has happened yet. No outage. No ransom note. No breach disclosure. Just a foothold quiet, persistent, established inside a system that matters sitting there, doing nothing, waiting.

That waiting is the point. And right now, across Europe’s eastern frontier, it’s the trend worth watching.

In an earlier assessment, I described what I called the build influence infrastructure being assembled well ahead of Europe’s 2028 election supercycle. Aged accounts. Cultivated operators. The slow, patient construction of a perception-shaping capability that wouldn’t be switched on until the moment it mattered. The unsettling part wasn’t any single piece of content. It was the timing: someone was getting ready.

This is the second half of that story. And the build has grown a harder edge.

From narratives to the systems underneath
Over recent months, the same ecosystems I’d been watching curate accounts and recruit operators started orienting toward something else entirely. Not narratives. Systems the physical and digital infrastructure a state depends on to function.

The shift is one of emphasis, not a clean break. The actors are the same. The forums are the same. But the conversation has moved from what people believe to what keeps the lights on. Among groups whose behaviour and targeting line up consistently with a single state’s strategic interests, there’s been a sustained rise in stated intent and observable interest against national-security-relevant infrastructure.

Here’s the logic shift that matters. Influence operations shape perception. Infrastructure targeting shapes leverage the ability to threaten, disrupt, or signal at a moment of your own choosing. Pursued together, they’re not two separate campaigns. They’re two halves of one pressure capability, aimed at the same horizon.

And critically: what’s rising is posture, not yet impact. The interest is up. The recruitment is up. The orientation is up. A wave of destructive events is not. That distinction is the whole game, because it means defenders still hold the initiative for now.

Access is the asset, not the action
This is the idea I most want to land, because it reframes how you should read everything else.

Access to a critical system quietly established, never used is not a failed attack. It’s a capability. It’s a loaded option held in reserve, and it carries strategic weight whether or not anyone ever pulls the trigger. The infrastructure analogue of the aged social media account: valuable precisely because it’s patient.

That changes the defensive question. You stop asking “has anything been disrupted?” and start asking “is anyone already inside, just waiting?” The decisive activity isn’t the disruption. It’s the establishment of access during the quiet build phase which is exactly the window where you can still deny it.

Two targets keep surfacing: sovereign AI and power
When you watch this kind of discourse long enough, you stop chasing individual mentions and start noticing gravity the targets the conversation keeps bending toward. Two keep recurring.

Sovereign AI — national and regional efforts to build independent AI capability is attractive precisely because it’s strategic and new. It concentrates sensitive data, computational dependency, and national prestige into systems that are being stood up fast and haven’t yet earned decades of operational scar tissue. They’re emergent, which means they’re soft. For an adversary, interest in a state’s sovereign AI is interest in that state’s future autonomy. Compromise it early, and you constrain a rival’s independence before it’s fully built a long-horizon move that fits a 2028 mindset exactly.

Power systems are the older, more familiar prize. Their appeal is the cascade. Electricity sits upstream of nearly everything communications, water, finance, healthcare, the state’s own ability to respond to a crisis. You don’t need to cause an outage to extract value. The credible ability to hold power infrastructure at risk is, by itself, a standing instrument of pressure.

Neither is chosen for being easy. Both are chosen for leverage for what their disruption would signal and cascade. That’s the tell that this is coercion logic, not profit logic.

One sponsor, many deniable hands
The groups driving this are best understood as aligned with a single state sponsor not as its employees.

The relationship is rarely a chain of command. It’s closer to alignment and tolerance: nominally criminal crews whose targeting happens, again and again, to serve a state’s strategic interests, operating in an environment where that activity is permitted, encouraged, or quietly nudged while any formal connection stays deliberately blurry.

That blur is a feature, not a bug. Route strategic targeting through ostensibly independent criminals and the sponsor buys plausible deniability, while defenders inherit an attribution problem. An intrusion that looks financially motivated may be strategically directed. Crime, in other words, can be statecraft wearing a criminal coat.

The practical takeaway for defenders is uncomfortable but clarifying: treat alignment as a working hypothesis, not a settled fact. Assume some share of what presents as opportunistic crime is strategically oriented and prioritize the targets a state would value over the ones a purely financial actor would pick.

Become a Medium member
(A note I keep on every assessment of this kind: “state-aligned” is an analytic read on behaviour and targeting, not a legal attribution. I name no state here, and that discipline matters more than ever when the whole adversary model depends on ambiguity.)

The recruitment surge is the tell
Ambition needs operators. And the clearest signal that the infrastructure orientation is meant to last not flare up once and fade is who’s hiring.

Across Telegram and dark web forums, nearly all the ransomware-as-a-service operations in the aligned cluster are visibly scaling their recruitment. Where the influence layer ran on selective, reputation-based recruiting, the infrastructure layer looks broader and more urgent. The pattern reads like staffing for volume and continuity building bench depth for sustained operations against hard targets, not hand-picking a couple of trusted hands for a one-off.

And here’s what makes it intelligence rather than noise: the rise is cluster-wide. Individual crews expand and contract constantly that’s normal underground churn. But an entire aligned ecosystem increasing its intake in the same window, oriented at the same target categories, points to a shared driver behind all of them. That simultaneity is the signature of directed pre-positioning.

The honest caveat: most of this is inferred from surface activity. The real tempo is almost certainly higher than what shows openly. Recruitment that runs through private, trust-mediated channels stays, by design, below the line.

Why this is a sovereignty problem, not just a security one
The reason this deserves attention isn’t the prospect of one dramatic, made-for-headlines event. It’s the compounding effect of access being quietly established across exactly the systems a state can’t afford to lose control of.

Cascade. Power sits upstream of everything. Access converts a narrow technical foothold into broad societal leverage.
Signal. Even held in reserve, demonstrated capability against strategic systems is a message. It shapes the calculations of decision-makers under pressure — coercion that works without ever being used.
Sovereignty. Shaping or compromising emergent national capability sovereign AI above all is a way to constrain a rival’s future autonomy before it’s fully established.
Together, those move the infrastructure front out of the security bucket and into the strategic one. This is leverage over how a society functions and what it can become which is why the response has to be owned at the level of national resilience, not left to individual operators to figure out alone.

Two fronts, one horizon
Read the narrative build and the infrastructure build together and you get the real picture: a combined coercion capability maturing toward the same fixed date.

Perception-shaping makes a population more susceptible at the precise moment infrastructure pressure is applied. Infrastructure pressure lends weight to narratives that would otherwise be dismissed. A campaign that can do both at once, at a chosen moment, is worth more than the sum of its parts and the build phase is the only phase where it stays stoppable.

What an accelerating front looks like
No single indicator proves anything. Their value is cumulative convergence across several, over time, is what separates directed pre-positioning from ordinary underground activity. The things I’m watching for, in combination:

A simultaneous, cluster-wide rise in recruitment across aligned groups.
Target-category drift in discourse sovereign AI, power, and grid displacing purely financial chatter.
An access-not-action posture: footholds established and held rather than immediately cashed out.
Proxy proliferation new “criminal” groups whose targeting keeps lining up with one state’s interests.
Cross-border simultaneity comparable infrastructure targeted across several frontline states at once.
Front convergence the same ecosystems active across both the narrative and infrastructure layers.
The window is the build
If there’s one thing to take from all of this, it’s that the decisive activity is the establishment of access not its use. Which means the highest-leverage defensive moves are anticipatory:

Hunt for quiet, persistent footholds on the assumption that someone is already establishing and holding them. Apply national-resilience-grade protection to sovereign AI and power as the strategic assets they are. Defend against the state-relevant hypothesis where “criminal” targeting aligns with a state’s interests. Track recruitment as a leading indicator. Coordinate across borders now, while there’s still time to make detection mature. And analyse the two fronts together, because separately neither one tells you the truth.

Quiet, persistent access to a strategic system is not a failed attack. It’s a capability waiting for the moment it’s needed and it’s being built now, in the one phase where it can still be denied.

The defender’s advantage hasn’t changed since Part One. It’s time, spent now, on denying access before it becomes leverage.

This is a strategic forecast describing patterns, intent, and trajectories observed across monitored dark web and Telegram ecosystems, interpreted through more than a decade of HUMINT and open-source experience in Eastern European, Russian-language, and hybrid-warfare environments. It names no state, actor, group, infrastructure, or jurisdiction, and contains no operational or technical detail. “State-aligned” reflects an analytic assessment of behavioural and targeting alignment not legal attribution. Published TLP:CLEAR for the broadest defensive benefit.

Almost all the ops start recruiting from underground/dark web/telegram

Someone Decided What Millions Would Think Next Week

Adrian Alexandru Stinga — Wed, 10 Jun 2026 07:40:55 +0000

HUMINT — Behavior Analysis Series · Based on GREY NEXUS report GN-064, "Narrative Architects"

By the time a piece of disinformation reaches your feed, the most important decisions about it have already been made, somewhere you'll never see, in a document you're not meant to know exists.

The post feels spontaneous. The outrage feels organic. The timing feels like coincidence.

None of it is.

In this Q&A, Adrian Alexandru Stinga threat intelligence analyst specializing in HUMINT, behavioral analysis, and dark web ecosystems unpacks the findings from his latest GREY NEXUS report, GN-064: Narrative Architects. Drawing on nearly two decades monitoring coordination communities, forums, and encrypted channels, the report documents something most counter-disinformation work never looks for: the operational briefing the document that is written, calibrated, and distributed before a single post ever appears.

Q: Your report opens with a strange line "A briefing is not written to describe what will happen. It is written to make what will happen look like it was never planned." That sounds backwards. Explain it.

It only sounds backwards if you think the goal of an information operation is to spread a message. It isn't. The goal is to spread a message that looks like it spread on its own. The entire value of a coordinated narrative collapses the moment it looks coordinated. So the briefing is written with two objectives at once: make the operation effective, and make the operation invisible. Those two objectives are in tension, and managing that tension is the whole craft. A good briefing produces alignment among hundreds of people while leaving no individual piece of content that could ever prove they were aligned.

Q: Let's go to the basics. When most people imagine a disinformation campaign, they picture bots, fake accounts, troll farms. You're saying the real action happens earlier.

Much earlier and that's the blind spot. Almost all counter-disinformation work begins the moment content reaches a platform. A post goes up, it gets flagged, it gets analyzed, maybe it gets taken down. But by then the operation has already succeeded or failed. Every decision that mattered which narrative, which audience, which platform, which framing to use and which to avoid was made before any of that, in a single document I call the briefing. The post you see is just the execution of a decision that was made days earlier, somewhere you're not watching. Detecting the post is detecting the smoke. The briefing is the fire.

Q: So where does a briefing actually begin? With the narrative?

No, and this surprises people. Briefings don't begin with a narrative. They begin with a context: a condition in the information environment where a particular narrative can land(as i writted in GN-067 report) . The narrative is chosen second, to fit the opening. There are two main starting points. The first is event-triggered something happens, a political announcement, a scandal, a disaster, and a prepared narrative moves into that window of attention within hours. The second is accumulated-tension there's no fresh event, just a pre-existing fault line in society that someone decides is ripe for activation. That second type is far harder to detect, because there's no external trigger to point at. It just looks like a topic that suddenly won't go away.

Q: If everything is designed to look organic, how can you tell a briefed operation from a genuine community reacting to the news?

This is the single most important signal in the report, so let me be precise about it. When a real community reacts to an event, it produces diversity. Many interpretations, many framings, people arguing with each other(without knowing why), genuine ideological mess. That's what authentic looks like. A briefed community produces alignment. Within hours you see the same framing, the same supporting points, the same chosen evidence, and this is the giveaway the same things being conspicuously not said. Organic communities argue. Briefed communities converge. The convergence is the fingerprint. Not what they say. The fact that independent people somehow all say it the same way.

Q: Walk me through what's actually inside one of these documents.

The anatomy is remarkably consistent. There's an opportunity context the situation being exploited. There's an objective, which is almost always left implicit, because writing down "we want people to distrust this institution" creates attribution risk. There's the narrative specification, which is the richest part: a core claim, two or three supporting points, the evidence to cite, the tone to strike and an avoidance section telling participants what not to say. Then there's target specification which platform, which audience, usually described by behavior rather than demographics, again to reduce traceability. And execution parameters timing and volume. But the most analytically interesting part of any briefing is what's deliberately absent: no named director, no financial instructions, no attribution to any state, and never any acknowledgment that the content is coordinated at all. The absences are as engineered as the contents.

Q: That avoidance guidance telling people what not to say why does that matter so much to you as an analyst?

Because it's the part nobody is trained to look for. Everyone watches what propaganda says. Almost no one watches what it carefully avoids. When a deployed narrative systematically steps around a specific counter-argument one that would come up naturally in any honest discussion of the topic that silence is a signal. Organic conversation includes the inconvenient points. Briefed conversation routes around them with suspicious consistency. What a campaign refuses to mention often tells you more than what it shouts. The signs for every operations of influenced the people are in the seed message ( the first messages ) you track the first messages you will see clearly is not organic

Q: You describe a "calibration" problem at the heart of all this. What do you mean?

This is the real skill of the people I call narrative architects. The briefing has to be specific enough that hundreds of independent participants produce recognizably consistent content otherwise there's no coordination signal, no operational effect. But it has to be vague enough that no single piece of that content could ever be held up as proof of coordination. Too specific exact phrasing, explicit instructions to post and you've created evidence. Too vague just a general ideological direction and execution falls apart, the message scatters, the operation fails. The narrow band between those two failures is where effective briefings live. Hitting that band repeatedly, across many operations, is a learned craft. It's writing.

Q: This all comes from direct observation? You actually watched these patterns form?

Over years, yes primarily across the 2014–2016 period when coordination still happened in semi-public forum spaces that a positioned monitor could observe, and then inferred forward from the signals that survived into the encrypted era. That's the part that's hard to convey. I was reading documents that had already decided what millions of people would see on their feeds in the coming days. The "organic public reaction" hadn't happened yet it was sitting in front of me, specified and scheduled. You don't forget what that does to your sense of what a comment section actually is.

Q: And it's gotten harder to see since then.

Considerably. The structural logic of the briefing hasn't changed at all the anatomy I described is stable from 2014 to today. What changed is the plumbing. Coordination moved from semi-public forums to encrypted, compartmentalized channels with role-based, need-to-know distribution. Guidance became more implicit, leaning on norms established in prior operations rather than spelling things out. Avoidance rules that used to be written in the briefing are now just understood. So detection went from "high, for anyone positioned to watch" to "medium, and only with deeper access and real structural pattern recognition." The signal is still there. It's just buried deeper, and you have to know the shape you're looking for.

Q: So what's the counter-disinformation takeaway? What should defenders actually do differently?

Move detection upstream. A program that starts looking when content hits a platform is permanently operating downstream of the decision that mattered. The briefing signal sudden narrative alignment, coordination-channel preparation activity, content-creator recruitment with oddly specific framing requirements appears before deployment. That's where the lead time is. Second: start analyzing avoidance patterns, not just content. Third: prebunking, which NATO StratCom research already identifies as the highest-impact intervention, works far better when it's calibrated to the specific framing an anticipated briefing will use, rather than to a vague topic area. Briefing-structure analysis is what makes prebunking precise instead of generic. None of this is something an automated platform does well. It needs an analyst who can hold a behavioral baseline in their head and notice when reality diverges from it.

Q: Final question. The most unsettling line in the whole report is in the conclusion. The people spreading these narratives were they lying?

No. That's the part that's genuinely hard to sit with. The community members who posted the briefed content had no idea they were executing a brief. They believed they were expressing their real convictions — and they were. That's the craft at its most refined. The briefing didn't manufacture beliefs and install them in people. It went looking for convictions that already existed, and then wrote precise instructions for how to express those convictions in the most operationally effective way at exactly the right moment. The people are sincere. The sincerity is the weapon. The document found it, aimed it, and timed it — and then made sure it would always look like it was never planned.

Adrian Alexandru Stinga is the founder and Lead Analyst of Aether Intel* (https://aether-intel.com), an independent Cyber Threat Intelligence practice based in Brașov, Romania. GN-064, "Narrative Architects," is part of the GREY NEXUS deep-dive intelligence series (GN-061 through GN-070), available in full at aether-intel.com.*

The full report includes the complete briefing anatomy, the deniability-gradient model, MITRE ATT&CK technique mapping, a four-phase detection framework, and a fictional composite briefing illustration. Public-source corroboration: NATO StratCom COE, EU DisinfoLab, and EEAS StratCom East. TLP:CLEAR unrestricted distribution.

If you've observed coordination-channel activity consistent with active briefing preparation narrative-specification threads, content-creation coordination, or platform-targeting discussion report it to your national counter-disinformation authority or counterintelligence service. Reporting is not evidence of guilt. It is evidence of integrity.

Read the full report GN-064 → aether-intel.com

Someone Is Keeping Score of Your Society's Pain

Adrian Alexandru Stinga — Sun, 07 Jun 2026 15:14:33 +0000

The Grievance Catalog: Why Your Population's Pain Is Already on File

Adrian Alexandru Stinga | Lead Analyst, Aether Intel | June 2026

A grievance, once catalogued by a hostile actor, has already become a munition. Only the firing date remains undecided.

That's the conclusion of nearly two decades of monitoring Eastern European and Russian-speaking underground ecosystems. And it changes how we should think about hybrid threats entirely.

This Is Not a Propaganda Problem. It Is a Memory Problem.

We keep treating foreign influence operations as campaigns bounded events with a beginning, a peak, and an end. That framing is convenient for media reporting and political response. It is also wrong.

What I've observed since 2014 is not a sequence of campaigns. It is the continuous operation of an archive. A slow, patient, distributed accumulation of human pain — harvested from open social media, regional news comments, closed Telegram groups, and protest movement chats — indexed, tagged, mirrored, and held ready for activation.

The archive doesn't generate the crisis. It waits for the crisis and redirects it.

I watched material being filed in 2014 and 2015. I assumed it had a half-life that grievances not used quickly would expire and lose their emotional charge. That is not what happened. I've seen the same testimonies, sometimes the same screenshots, redeployed in 2022 and 2023 with their original emotional charge fully intact.

A grievance, properly catalogued, does not age. It waits.

How the Catalog Works

The architecture is deceptively simple. Four layers, none of which require sophisticated tooling or formal organisation.

Layer 1 - Harvest. Open social media, news comment sections, closed groups, protest chats. The harvesters don't know they're harvesters. They're reading, screenshotting, saving things they find interesting.

Layer 2 — Tagging. Material gets reposted into working threads, categorised by grievance type, region, demographic, exploitability. The taggers think they're having a conversation.

Layer 3 — Storage. Pinned threads, screenshot folders, secondary channels, cross-posted to ensure no single takedown kills the archive. The mirrorers think they're preserving something valuable.

Layer 4 — Activation. Pulled into messaging products, talking points, or used as a lens to identify individuals for future recruitment. Only at this layer is professional intent visible and by then the work of the first three layers was already done, for free, by people who would never describe what they were doing as intelligence collection.

The cost of building this archive is patience, language fluency, and an absence of scruples about treating other people's pain as a resource.

Five Categories of Pain, Faithfully Indexed

Across the ecosystems I've monitored, five grievance types account for the vast majority of catalog content. They're harvested in parallel and activated based on which external trigger arrives first.

Ethnic and minority tensions activated around local crime stories, school policy changes, census debates.

Economic inequality and class resentment activated around energy price spikes, inflation reports, pension reforms.

Religious and confessional divisions activated around religious anniversaries, clerical controversies, legal cases.

Historical wounds and unresolved past activated around commemoration disputes, border tensions, revisionist controversies.

Anti-institutional and anti-elite sentiment activated around corruption cases, institutional scandals, sovereignty debates.

When a coordinated network can activate across all five categories simultaneously, the preparation was done years in advance by people who understood each terrain well enough to file it correctly.

From Population Archive to Individual Targeting

Here's where it gets personal. The grievance catalog is not only a messaging tool. It is a recruitment tool.

Individual posts, accumulated over time, reveal the contours of a person their wounds, their loyalties, their resentments, their financial pressures. For an actor patient enough to read the archive longitudinally, the result is a low-cost behavioural dossier on people who never consented to be profiled.

I observed the same operators tagging grievance material also flagging individual authors for future contact. The vocabulary was basic — variants of "useful," "approachable," "angry enough," "locally credible" but the discipline was consistent.

The catalog of grievances and the catalog of exploitable individuals are not separate products. They are two views of the same dataset. This is the point where information operations become intelligence operations — and where data protection and national security genuinely converge.

The Asymmetry Defenders Haven't Solved

The core problem is not resources. It is memory horizon.

The adversary's catalog operates on a decade-plus timeline. Entries from 2014 are still operationally live in 2026. Western defender institutions operate on budget cycles, political cycles, and personnel rotations. Lessons learned in one crisis are forgotten 24 to 36 months later when the team rotates.

An adversary who remembers versus a defender who moves on that asymmetry is the structural condition under which everything else in the hybrid environment plays out.

Defender responses framed around incident, campaign, and attribution will continue to win battles and lose the longer contest. The catalog operates on a decade horizon. Any defender posture organised on shorter horizons concedes the strategic terrain by default.

What Needs to Change

The answer is not to mirror adversarial tradecraft. Defender institutions cannot and should not maintain catalogs of their own populations' pain. The answer is to build analytical capability whose institutional memory survives the political and personnel cycles that currently bound it.

EU EEAS, NATO StratCom COE, EU DisinfoLab, and national counter-disinformation units are the right starting institutions. The question is whether their mandate, budget, and continuity match the time horizon of the adversary.

The lesson of nearly two decades of direct observation: wounds are not weapons by themselves. They become weapons when someone with patience writes them down.

The full report (GN-069, TLP:CLEAR) is available at aether-intel.com as part of the GREY NEXUS series (GN-061 through GN-070).

Adrian Alexandru Stinga is the founder and Lead Analyst of Aether Intel, an independent Cyber Threat Intelligence practice based in Brașov, Romania, specialising in Eastern European and Russian-speaking underground ecosystems, HUMINT tradecraft, behavioral analysis, and nation-state/hybrid warfare intelligence.*

CyberThreatIntelligence #HybridWarfare #Disinformation #InformationOperations #NationalSecurity #NATO #EU #OSINT #HUMINT #CTI #AetherIntel #GreyNexus #StrategicCommunications #Counterintelligence

How States Run Criminals Without Ever Touching Them.

Adrian Alexandru Stinga — Fri, 05 Jun 2026 07:38:28 +0000

How States Run Criminals Without Ever Touching Them. No contact. No instructions. No trace. Inside the invisible architecture of state-criminal coordination.

HUMINT-Behavior Analysis Series

Most people who end up serving a foreign state's interests didn't start for money. They started because someone made them feel like they belonged to something.

By the time the money becomes the reason you stay, the ideology has done its job.

In this Q&A, Adrian Alexandru Stinga unpacks the findings from one of the last reports 067 Nexus Grey Series .

The best intelligence operations are the ones nobody knows happened. But what about the ones where even the people inside the operation don't know they're part of it?

After almost two decades monitoring dark web ecosystems, tracking threat actors across underground marketplaces, forums, and Telegram channels. His latest report GN-067, The Handler's Handbook documents something most CTI analysts never look for: the invisible layer where state interests quietly shape criminal behaviour without a single direct instruction ever being given.

Q: Your report opens with the line: "The best handler is the one whose asset does not know they have a handler." That sounds like it belongs in a spy novel. But you're saying this is something you actually observed?

It's not a literary statement. It's an operational description. What I documented across the monitoring period 2014 through 2026 is that the most effective state-criminal relationships are ones where the criminal actor genuinely believes everything they're doing is their own idea. (at first ) They're not lying when they say nobody told them what to do. Nobody did. The environment they operated in was engineered so that their rational self-interest produced exactly the outcomes a state actor wanted. That's not espionage fiction. That's tradecraft.

Q: Let's start with the basics. When we think of a "handler" running an "asset," most people picture secret meetings, coded messages, dead drops. You're describing something completely different.

Because the model most people have in their heads the classic intelligence handler-source relationship involves both parties knowing the relationship exists. Both sides accept the risk. Both understand the exchange. What I observed in the criminal underground is structurally different. The handler cannot afford for the asset to know they're being managed, because the entire point of using a criminal proxy is deniability. The moment the asset knows a state is involved, that deniability is gone. So the handler's craft becomes a negative discipline: not what to do, but what to avoid doing. No direct contact. No explicit instructions. No traceable payments. No persistent infrastructure. Everything that would make the relationship visible has to be eliminated.

Q: So how does the handler actually direct the asset if they can't communicate with them?

Three mechanisms, and they usually work together.

The first is the cutout an intermediary who carries direction from the handler to the asset without knowing they're carrying it. The cutout is typically an established criminal actor with a pre-existing organic relationship with the target asset. The handler influences the cutout's environment what opportunities they see, what information reaches them and the cutout naturally passes that influence forward through normal criminal community interaction. The cutout believes they're pursuing their own business. The asset believes they're hearing from a trusted criminal contact. The handler is invisible to both.

Q: That's a hard claim. How do you know the cutout isn't just a regular criminal doing regular criminal things?

From any single transaction, you can't tell the difference. That's the point the entire architecture is designed to be indistinguishable from normal activity at the transactional level. The signal emerges from longitudinal monitoring. When you track the same actors across years, you start seeing systematic patterns that don't fit pure criminal logic. Opportunities consistent with state objectives keep reaching specific actors. The flow of those opportunities has a directionality and consistency that coincidence doesn't produce. The cutout never wonders why profitable deals keep finding them. But when you map the pattern from the outside, the engineering is visible.

Q: You mentioned three mechanisms. The cutout is one. What's the second?

Incentive engineering. This is the most sophisticated piece, and it's the one that matters most for detection. The handler doesn't tell the asset what to do. The handler calibrates the asset's environment what opportunities reach them, what information they receive, what threats they face, what rewards they get so that the asset's own rational calculation produces the behaviour the handler wants. The asset experiences full agency. Every decision is genuinely theirs. Every success feels earned. What they can't see is that the environment in which they're making those decisions was designed by someone they've never met.

Q: Can you give a concrete example of what that looks like?

Take financial incentive. A transaction reaches the asset through a cutout at pricing that's unusually profitable but not implausibly so. The asset takes it because it's good business. They don't ask why the pricing is generous criminals don't question profit, they capture it. The handler set the pricing to attract the asset's participation in a specific capability development. The asset thinks they found a good deal. The handler achieved a procurement objective.

Or take protection signalling. Competitors who become problems for the asset start encountering difficulties law enforcement attention, infrastructure takedowns, community reputation damage. The asset notices they seem to have better luck than their competitors. They attribute it to skill or connections. They don't consider that someone is clearing the path ahead of them.

Q: That sounds almost impossible to detect.

It's the hardest form to detect because the visible behaviour of the asset is genuinely their own. You're not looking for deception. You're looking for an environment that produces predictable behaviour in a self-interested actor. The detection methodology has to focus on what I call behavioural inconsistency the systematic divergence between what the actor does and what their visible interests alone would predict.

Q: What does that look like in practice?

Four layers. First, self-interest divergence: does the actor consistently behave in ways that don't serve their visible financial or operational interests? Second, opportunity pattern analysis: does the actor's opportunity flow show systematic bias toward outcomes aligned with state objectives? Third, protection signal analysis: does the actor enjoy risk reduction that has no visible source? And fourth, network composition: do the actor's contacts include clusters of other actors who display similar inconsistency signals?

Any single inconsistency could be coincidence. Multi-layer inconsistency across sustained observation is a different signal entirely.

Q: You mentioned a third mechanism criminal mimicry.

When the handler absolutely must communicate something that can't be engineered through incentives alone, the communication is structured to be indistinguishable from ordinary criminal-to-criminal interaction. The handler operates through a persona that presents as a criminal actor with compatible business interests. The communication discusses business in criminal community terms. On the surface, it looks like two criminals doing a deal.

Q: How do you spot the fake?

The persona leaks. Not immediately these are well-constructed identities. But over time, longitudinal monitoring reveals patterns that don't fit. Selective transaction interest the persona engages with state-aligned opportunities but ignores equally profitable criminal ones that have no intelligence value. Information sharing asymmetry the persona gives more than it takes, which violates criminal community reciprocity norms. Discourse register anomalies occasional slips into formal or analytical language, especially on the topics that matter most to the handler. And operational continuity gaps disappearances that don't match criminal community patterns, followed by seamless returns. Real criminals don't go silent for three months and come back as if nothing happened without someone in the community noticing.

Q: This all comes from direct observation? You were watching these patterns form in real time?

Over years. Not weeks, not months. The patterns I'm describing are only visible from sustained longitudinal monitoring of the same actors, the same communities, the same infrastructure. That's what my work at Aether Intel has been for over a decade tracking approximately 50 actors continuously through manual collection, without commercial tooling, watching their behaviour evolve across pseudonym changes, platform migrations, and jurisdictional shifts. The handler's fingerprint is in the shape of the activity over time. You can't see it from a snapshot.

Q: What's the counterintelligence takeaway?

That the most dangerous state-criminal coordination doesn't look like state-criminal coordination. It looks like a successful criminal having a good run. The detection challenge isn't technical it's analytical. You need analysts who can hold a longitudinal behavioural baseline in their head and notice when reality diverges from what pure criminal logic would predict. That's not something an automated platform does well. It requires the kind of pattern recognition that comes from years of watching the same ecosystem evolve.

Q: Final question. The report's conclusion says the best handlers you observed were the ones you couldn't actually observe at all. If they're invisible, how do you know they exist?

Because I could see everything around them. I could see the assets they managed. I could see the cutouts they used. I could see the opportunity flows, the incentive patterns, the protection signals. I could see the systematic shape of activity that doesn't have a pure criminal explanation. The handler is the absence that explains the pattern. Detecting that absence seeing what isn't there where it should be is what counterintelligence analysis actually is. It's solvable. It's not easy.

Adrian Alexandru Stinga is the founder and Lead Analyst of Aether Intel, an independent Cyber Threat Intelligence practice based in Romania. GN-067 "The Handler's Handbook" is part of the GREY NEXUS deep dive intelligence series (GN-061 through GN-070), available at aether-intel.com.

The full report includes MITRE ATT&CK technique mapping, a composite operational illustration, and a four-layer detection framework for handler presence identification.

If you've observed cutout patterns in monitored criminal communities — actors whose behaviour deviates systematically from their apparent self-interest — these are high-value counterintelligence signals. Report to your national counterintelligence service.

🔗 Full report 067 and catalogue: [aether-intel.com]

Europe Through 2028: The Infrastructure of the Next Global Election Cycle

Adrian Alexandru Stinga — Fri, 29 May 2026 15:13:24 +0000

In the world of security, we are obsessed with "zero days" and active breaches. We look for the explosion. But as I’ve been tracking across monitored dark web and Telegram ecosystems over the last few months, the most significant threat we’re currently facing isn't a payload it’s an infrastructure build.

The networks that will define the geopolitical landscape in 2028 are not being built then. They are being assembled now.

The "Build Phase" Problem

We are currently in the seam between the initial procurement of assets and the mass activation of influence infrastructure. Based on our latest strategic assessment at Aether Intel, we expect the large-scale reappearance of "warmed" and "aged" accounts to emerge significantly between late 2026 and Q1 2027.

Why does this window matter? Because influence operations are a logistical challenge. You cannot manufacture credible, aged social media accounts or trusted operators overnight. They have to be built, aged, and fed with authentic-looking content months or years in advance.

What We’re Observing: The Shift in Adversary Tradecraft

If you look at the chatter in the dark web marketplaces and private Telegram channels, you don't see "loud" threats. You see patience. We are tracking four key indicators of this long-term build:

Selective Recruitment: It’s no longer about bulk spamming. Adversaries are pivoting to mid-to-senior level operators selected based on reputation and operational security (OPSEC). They aren't looking for quantity; they are looking for "vouched" capability.

Recycled Criminal Proceeds: We are seeing a distinct movement where proceeds from standard cyber-criminality (like RaaS or fraud) are being diverted to fund influence infrastructure that doesn't necessarily pay for itself in the short term. This is a strategic investment in geopolitical leverage.

The Native-Language Affiliate Model: One playbook, many regional faces. Instead of translating wholesale, which triggers detection, we see regional affiliates adapting narratives to sound natively organic. This diffuse model makes attribution almost impossible.

The AI Compounding Effect: Generative AI is reducing the cost of every single component—from account aging to content synthesis by orders of magnitude.

Why This is a Geopolitical Convergence

The core takeaway of our latest Horizon Briefings series is this: Criminal infrastructure and influence operations have stopped being separate problems.

They are converging. The tools used to commit financial fraud are now the exact same tools used to run influence campaigns. The infrastructure that keeps a C2 server alive is the same infrastructure maintaining a botnet of aged, aged-to-authenticity accounts.

The Defender’s Window is Now

By the time these networks surface on the open web in 2028, the hard part for the adversary will be done. They will have bypassed the "trust filters" of major platforms because their accounts will have years of legitimate-looking history.

The window to disrupt this capability is during the Build Phase.

For us, as practitioners, this means shifting our focus from detection to predictive visibility. We need to monitor for the transition from inactivity to reappearance one of the cleanest indicators we have.

This article summarizes the key insights from our latest report, "Europe Through 2028: Strategic Threat Forecast". If you are interested in the granular technical analysis of these behavioral patterns, you can read the full report at Aether-Intel.com. - Horizon Briefings

You Don’t Need to Be Recruited to Become an Asset

Adrian Alexandru Stinga — Tue, 26 May 2026 13:50:20 +0000

In the landscape of modern cyber-espionage and non-state actor operations, there is a recurring misconception in security analysis: the belief that there is a coherent ideology behind every attacker. Analysts often fall into the trap of seeking a "cause" or a set of beliefs to explain the actions of threat actors. However, recent intelligence, specifically the GN-065 report: Loyalty Without Allegiance report from Aether Intel, reveals a different reality: the modern proxy operator is not a "digital patriot," but a figure whose effectiveness relies on pragmatic, transactional compartmentalization.

The Myth of the "Cyber Patriot"
The idea that cyber-operators act out of national or ideological fervor is a dangerous simplification. In reality, most actors operating in the gray zone whether within Ransomware-as-a-Service (RaaS) groups or state-aligned proxy networks are not driven by flags or doctrines. They are high-level mercenaries navigating an environment that demands they act against their own underlying values, or at the very least, remain indifferent to them.

Their effectiveness is not built on loyalty, but on a psychological defense mechanism: compartmentalization.

The Psychological Architecture: Three Profiles
The report identifies three dominant profiles of proxy operators, defined not by their technical capabilities, but by the "anchors" that keep them tethered to their handlers:

The Financial Operator: For them, "professionalism" is a mask. They treat cyber-operations like a corporate job. They are often trapped in a cycle of financial necessity, where the demands of their handlers make exiting the ecosystem practically impossible.

The Status-Driven Operator: These individuals build their identity around their reputation within underground communities. The role is the identity. The fear of losing status or "face" among their peers is far more potent than the fear of legal or moral consequences.

The Captured Operator: Operating through "compliance by fear." These are the most vulnerable actors. They have neither motivation nor autonomy; they act out of inertia and a desperate lack of safe alternatives.

To see the full proxy profiles, you can do it on aether-intel.com on our demo SaaS platform ( 9 available for public )

The "Detection Window": Signals of Deterioration
For Threat Intelligence and Counterintelligence professionals, the most critical takeaway from the report is that people are not machines. No matter how disciplined the compartmentalization is, psychological stress eventually takes its toll.

The report emphasizes the importance of monitoring for "motivation deterioration signals." When a proxy operator begins to show signs of exhaustion, when their operational discipline falters, or when there are abrupt shifts in engagement, we are witnessing a crack in the facade.

Why does this matter? Because these cracks represent "windows of opportunity." An operator who is losing their conviction or who is becoming frustrated with their handlers is an operator who can be "flipped" or who may provide intelligence of inestimable value.

Reporting as an Act of Integrity
A vital point made by the report is the reframing of the reporting process. In an ecosystem where loyalty is merely a facade, reporting observed activities is not an act of betrayal it is an act of integrity.

In the world of cyber-defense, where digital infrastructure is the new theater of operations, the psychological stability and motivations of those operating within it are matters of global security.

Conclusion: Look Beyond the Code
When we analyze RaaS groups or espionage operations, we must realize that we are not just fighting against malware or server infrastructure; we are dealing with complex human architectures.

As Aether Intel aptly notes, "never mistake the operator’s output for the operator’s soul." Understanding the psychology behind "loyalty without allegiance" is not just an academic exercise it is the most effective way to anticipate, and ultimately dismantle, a threat before the strike occurs.

Full Reports on Aether-Intel.com to see the connection between a proxy patriot and dark web.

HUMINT Challenge #1: Think Like an Adversary 🎯 New ransomware group, 2TB claimed, high pressure. But something’s off: old infrastructure, mismatched data samples, atypical tactics. Is it a bluff or a real threat? How do you investigate? #HUMINT

Adrian Alexandru Stinga — Sat, 23 May 2026 16:33:04 +0000

Hybrid Warfare Never Stopped. Most People Just Stopped Recognizing It.

Adrian Alexandru Stinga — Fri, 22 May 2026 05:23:14 +0000

What a decade of observing hybrid warfare ecosystems reveals about where we are now.
There is a moment, when you have been watching something long enough, where the pattern stops feeling like analysis and starts feeling like memory.

I have spent well over a decade monitoring the intersection of hybrid warfare operations, dark web criminal ecosystems, and the information environments that connect them. I did not start this work from a think tank, an intelligence agency, or a university. I started it from inside the communities being studied observing in real time, from a NATO Eastern Flank position, as the architecture of modern information warfare was being assembled around me.

What I want to share here is not academic. It is observational. And the observation that matters most right now is this:

The actors who built the first generation of hybrid warfare infrastructure are still operational. They are significantly more capable. And the population they are targeting is significantly more susceptible than it was when this started.

The Architecture That Was Being Built While No One Was Watching
When the first coordinated information operations appeared across European social media platforms in early 2014, the analysis that followed treated them as a novel phenomenon. What direct community monitoring revealed was something different: the infrastructure had been under construction for months. Communities with ostensibly cultural or historical focus, cultivated across multiple languages simultaneously, activated as coordinated distribution networks within hours of a triggering geopolitical event. The narrative architecture was not assembled in response to events. It was prepared in advance and deployed on cue.

The simultaneity was the tell. Organic public sentiment does not appear in Romanian, Italian, Serbian, and Hungarian communities with culturally localized framing within eighteen hours of a triggering event. Coordination does.

What Western analysis missed at the time — and what took years to correctly categorize — was that this was not primarily a technology problem. It was a behavioral one. The operation did not create the anger it distributed. It found the anger that already existed, validated it, and directed it toward specific political outcomes. The emotional material was real. The grievances were genuine. The distribution was manufactured.

That distinction matters profoundly, because it has not changed. It has intensified.

The Criminal-Geopolitical Pipeline
One of the most consequential findings from sustained dark web monitoring over this period is the relationship between criminal financial infrastructure and geopolitical operational infrastructure. These are not separate systems. They became the same system operating at different layers.

The early phase of this integration, in the 2014–2016 period, was not state-directed. It was ideologically motivated. Actors who had existing criminal capabilities primarily operating in dark web markets, carding, ransomware revenue made independent decisions to channel that revenue toward conflict support operations they genuinely believed in. The ideology preceded the state relationship. The state identified these voluntary contributors after they had already paid.

This matters for detection because the standard analytical framework for state-criminal overlap assumes the state is the principal. In the Donbas model, the sequence was reversed: belief first, crime as financial infrastructure second, state identification and recruitment third. The pipeline ran from grassroots conviction through criminal capability to state-adjacent asset not the other direction.

By 2019–2020, the cryptocurrency infrastructure that had once been PayPal donation links on VK was running through Monero wallets, DEX routing, and multi-hop mixing protocols. The same community members who had been posting about conflict support in public Facebook groups in 2015 were using privacy coins and decentralized exchanges five years later. The ideological and criminal ecosystems did not separate as they matured. They grew together.

The criminal-geopolitical financial overlap documented throughout this period is not a historical artifact. It is the current operating model, adapted and refined over a decade of continuous use.

The Line That Does Not Exist
The boundary between state-sponsored threat actor and criminal operator is the analytical fiction that most institutional frameworks are least equipped to abandon.

The state does not direct its criminal ecosystem. It licenses it. The license is not a contract. It is an understanding: operate where you want, avoid certain targets, be available when asked, and law enforcement attention will remain structurally absent. From more than a decade of monitoring Russian-language criminal forums, the behavioral constraints of this license system are observable in aggregate forum behavior even when they are never explicitly stated. The asymmetry between actors who target Russian organizations and actors who do not is too consistent across too many actors over too long a period to be coincidental.

The criminal actor who begins declining certain transaction types, improving their operational security with a discipline that exceeds what experience-based learning produces, and demonstrating knowledge of target environments that their stated criminal methodology should not provide that actor is exhibiting the behavioral signature of state recruitment. The transition is not abrupt. It is a gradual accumulation of small improvements that individually have innocent explanations and collectively do not.

For analysts who understand this architecture, the line between espionage and cybercrime is not a classification problem. It is a deliberate strategic design.

Why People Are More Vulnerable Now Than They Were Then
This is the observation that I find most important to communicate and the one that receives the least attention in the policy and security discourse I encounter.

The effectiveness of influence operations is not primarily a function of their technical sophistication. It is a function of the emotional and cognitive material available in the target population. An operation that finds pre-existing grievances, validates them, and redirects the resulting emotional energy wins on the emotional register even when it loses on the factual one. Because the emotional register is where it was designed to operate.

In 2014, the emotional material available in most European target populations was moderate. Institutional trust in governments, in media, in European structures, in the transatlantic alliance was imperfect but functional. The information operations of that period had to work against populations for whom institutional counter-narratives still carried credibility.

That has changed.

The populations that information operations now target in Eastern Europe carry a decade more of accumulated institutional disappointment. The brain drain is lived experience, not a statistic. The EU membership benefits are perceived as unevenly distributed by the people who received the smaller share. The economic comparisons with Western Europe are documented in the daily bank account of every person who stayed behind while someone they knew emigrated. These are not manufactured grievances. They are real.

And real grievances are the only raw material that effective influence operations require.

The local influencer model that has replaced bot networks in Eastern Flank electoral interference cases works precisely because authenticity cannot be manufactured. A real person, with a real community following, sharing content that reflects positions they partially hold, paid in cryptocurrency for the reach but not for the conviction that person is not a fake. They are genuinely credible to their genuine audience. The payment buys distribution. The authenticity is real.

The shift from bot networks to real people with real grievances is the single most consequential operational evolution in the influence operation landscape since 2014. It is also the evolution that is hardest to detect, hardest to disrupt, and hardest to counter without producing the iatrogenic amplification cycle where institutional counter-messaging amplifies the operation's central narrative among precisely the demographics most susceptible to it.

The Dark Web as Early Warning Layer
The operational intelligence insight that ten years of dark web monitoring has produced most consistently is this: the events that manifest on surface platforms in weeks are being planned and resourced in underground forums now.

The TikTok algorithmic seeding campaigns that achieved electoral effect in the 2024 Eastern Flank cycle were assembled from commercial dark web supply chains influencer recruitment posts, account farm purchases, content production services with political calibration — weeks before the content appeared. The platforms saw the amplification. The preparation was invisible to anyone who wasn't watching where the preparation was occurring.

IAB listings for critical infrastructure and defense-adjacent targets in Eastern Flank member states that carry premium prices with no financial exploitation rationale — those listings are not noise. They are a signal that adversarial actors with state-level motivation have assessed specific targets as worth the investment. The financial logic is wrong for a criminal buyer. It is exactly right for a strategic one.

The intelligence gap that allows most operations to achieve surprise is not technical. It is the absence of monitoring where the preparation is occurring.

What Has Not Changed
The operational template deployed in early 2014 pre-positioned communities, culturally localized narrative architecture, exploitation of authentic grievances, dark web financial infrastructure, simultaneous multi-platform activation is the same template that is operationally active in 2026.

The platforms have changed. Facebook gave way to Telegram, Telegram to TikTok. The cryptocurrency infrastructure has evolved from primitive direct transfers to institutional-grade obfuscation. The content production capacity has been multiplied by AI integration that has removed the human resource constraints that previously limited campaign volume.

But the actors who understood this system when it was being built are still the actors running it. The communities that were cultivated in 2014 were never dismantled. They were never truly disrupted. They grew in the dark, funded by the same criminal financial ecosystem that was always their infrastructure, until geopolitical events made them visible to audiences that had been looking elsewhere.

The asymmetry between analysts who have been watching this continuously and institutions that are encountering it as a new problem is not a knowledge gap. It is a time gap. And the operational value of sustained longitudinal monitoring in dark web communities, in influence operation ecosystems, in the criminal-geopolitical overlap is precisely the baseline that makes the current signals readable.

The signals were already changing before the announcements were made. They always are.

Adrian Alexandru Stîngă is Lead Analyst A-01 at Aether Intel, a CTI research platform producing threat intelligence at the intersection of dark web ecosystems, hybrid warfare operations, and Eastern Flank security. The full AS-CTI-2026 series (30 reports, TLP:CLEAR) and the OBSIDIAN-TRACE deep-dive series are published at aether-intel.com.

All analysis reflects direct community-level observation. Where assessments draw on community-level intelligence that cannot be independently verified, confidence levels are explicitly documented in the underlying reports.

(HUMINT) The recruiter doesn't approach a soldier.

Adrian Alexandru Stinga — Mon, 18 May 2026 12:43:30 +0000

They approach a person with debt, a difficult divorce, or a grievance against their institution who happens to be a soldier.

That distinction explains why most military counterintelligence programmes miss the majority of recruitment attempts. They screen for ideology.
Dark web recruiters exploit finances.
OT-057 our latest OBSIDIAN-TRACE deep dive documents what that actually looks like from the inside: the question patterns used to map access without triggering security awareness training, the four-phase progression from "initial trust" to "operational tasking," and critically the CTI detection signals that appear on dark web forums weeks before any individual is ever approached.

The finding that concerns us most: Eastern Flank military expansion is producing a larger, less thoroughly vetted personnel pool at exactly the moment adversarial recruitment incentive is at its peak. The signals we're monitoring are consistent with that assessment.
The report covers detection methodology, MITRE ATT&CK mapping, and specific recommendations for counterintelligence officers and security programme designers.

TLP:WHITE — available at aether-intel.com

Telegram Didn't Kill the Dark Web. It Became Its Most Dangerous Wing.

Adrian Alexandru Stinga — Thu, 14 May 2026 06:16:09 +0000

Research disclosure: This article is based on passive observation

intelligence from the AS-CTI-2026 series (TLP:WHITE). No participation
in illicit activity was performed or implied. All assessments are
analytical and probabilistic in nature.

There's a take circulating in security circles that Telegram "replaced" the dark web. It's wrong and the people saying it are missing something more important.

Telegram didn't replace the dark web. It became the dark web's retail layer. A high-volume, low-barrier, fully/semi automated surface for the portion of criminal activity that no longer needs the anonymity guarantees of Tor-based infrastructure. And that distinction matters enormously, because the result is a two-tier criminal ecosystem that is structurally more dangerous than either layer alone.

Why the Dark Web Isn't Going Anywhere

Let's establish what the dark web actually offers that Telegram structurally cannot.

Tor routing provides genuine multi-hop anonymization of traffic at the network layer. Monero the dominant payment rail on serious dark web markets provides transaction unlinkability that Bitcoin fundamentally cannot replicate. Vetted forum communities have decade-long reputation systems built on PGP-signed communications and escrow structures that require real operational security to participate in. Market administrators on dark web forums can verify vendor history, mediate disputes, and enforce norms in ways that Telegram's bot-operated channels have no equivalent for.

For high-value operations initial access to enterprise networks, nation-state adjacent tooling, serious infrastructure procurement, intelligence brokerage the dark web remains the appropriate infrastructure. The anonymity requirements are non-negotiable. The vetting requirements are non-negotiable. Telegram cannot offer either.

The dark web is not a legacy system being deprecated. It is the sophisticated tier of a bifurcated criminal infrastructure, and it will remain so as long as Tor, Monero, and PGP exist.

What Telegram Actually Displaced

What Telegram did displace and this is the part that matters is the volume layer of dark web criminal activity. The commodity transactions. The mass-market operations. The criminal services that were previously accessible only to people willing to navigate Tor, manage a PGP key, and operate with dark web market discipline.

Between 2020 and 2022, dark web market vendors began proactively migrating their customer bases to Telegram. Not because it was more secure. Because it was more scalable. A Telegram link requires no technical threshold from the customer. No Tor. No PGP. No captcha. The vendor gains access to a vastly larger addressable market — anyone with a smartphone and a referral link — at the cost of reduced anonymity that, for commodity transactions, they judged acceptable.

By 2023-2024, Telegram had effectively displaced dark web markets for entire categories of transaction: drug distribution to end consumers, commodity malware sales, financial fraud product distribution. Not because it's better infrastructure it isn't but because the operational requirements of those categories don't demand what the dark web provides. A customer buying cannabis doesn't need Tor. A threat actor buying a commodity infostealer doesn't need Monero. Telegram is good enough, and good enough at scale beats excellent in a niche.

The Automation Engine

The Telegram criminal layer has one property that distinguishes it sharply from dark web market equivalents: near-total automation.

Vendor-operated bot systems likely handle over 90% of criminal transactions on the platform product browsing, payment processing, order confirmation, and delivery coordination — with minimal human intervention during normal operations. This isn't dark web market architecture with a better interface. This is an e-commerce stack built for volume.

The standard transaction flow for drug distribution the dominant criminal category on the platform runs entirely without human contact: a customer pays a $5–10 entry fee to join a channel, browses products through a bot interface, receives a cryptocurrency payment address, completes payment, and receives GPS coordinates for a dead drop pickup location. Average transaction value: approximately $100. Zero human contact between vendor and buyer at any stage.

For comparison, dark web market transactions involve escrow systems, dispute resolution, PGP-encrypted communications, and vendor reputation management — all of which require human oversight. The dark web prioritizes security and trust mechanisms. Telegram prioritizes throughput. They are optimizing for different things, serving different operational profiles.

The MITRE Footprint of the Telegram Layer

For security practitioners, the observed ATT&CK mapping of Telegram criminal activity covers the commodity-to-mid-tier range of the threat spectrum:

T1566 (Phishing) — credential theft kits sold as criminal service; phishing infrastructure distributed at scale
T1588.001 (Obtain Capabilities: Malware) — commodity stealers (RedLine, Lumma) via automated bot channels
T1657 (Financial Theft) — compromised financial accounts (fullz, payment processors accounts) as primary product category
T1078 (Valid Accounts) — stolen credentials sold directly; account takeover services via bot interface
T1567 (Exfiltration Over Web Service) — Telegram used as C2 and exfiltration channel by multiple malware families
T1583 (Acquire Infrastructure) — bulletproof hosting, RDP access as infrastructure services
T1090 (Proxy) — residential proxy services for operational anonymization
T1119 (Automated Collection) — bot systems automate the complete transaction lifecycle

Notice what's largely absent from this list: the sophisticated, targeted, high-value operations APT tooling, zero-day brokerage, critical infrastructure access. Those remain on dark web forums where the vetting, anonymity, and trust infrastructure exists to support them. Telegram is the volume layer. The dark web handles the apex tier.

A Structural Intelligence Gap

One of the most analytically significant observations from longitudinal monitoring of Telegram criminal channels is the payment infrastructure failure.

Bitcoin dominates criminal transactions on Telegram a significant operational security error. Unlike Monero-based dark web market transactions, Bitcoin payments create permanent, traceable blockchain records linking transaction patterns to identifiable KYC exchange accounts. The gap between what operators know they should use (privacy coins) and what they actually deploy (Bitcoin, because it reduces customer friction) is directly and consistently observable across channel types.

This OPSEC failure is an intelligence collection opportunity that law enforcement financial investigation units are not fully exploiting particularly given that the dark web's Monero-dominant payment layer is significantly harder to trace. The two-tier ecosystem has, perhaps unintentionally, sorted criminal operators by their sophistication and their exposure to blockchain forensics.

The Durov Arrest Was Noise

When Pavel Durov was arrested in France in August 2024, the criminal ecosystem on his platform registered zero observable operational impact. Channels stayed live. Bot systems kept processing orders. Transaction flows continued uninterrupted.

This outcome was predictable. Criminal infrastructure on Telegram was never dependent on founder oversight or moderation policy decisions. It had grown into a self-sustaining automated ecosystem. Any enforcement action at the platform level would need to be sustained, coordinated, and targeted at the bot infrastructure itself not at executives to have operational impact.

The arrest also illustrates the limits of thinking about this problem as a Telegram problem. Telegram is the current substrate. If enforcement pressure forced a meaningful migration, the same criminal ecosystem would reconstitute on a different platform likely one with weaker existing law enforcement relationships. The infrastructure is the actors and their automation, not the application.

What the Two-Tier Architecture Means for Defenders

Understanding that we're dealing with a bifurcated ecosystem not a single criminal infrastructure has direct implications for how defenders should orient.

Dark web monitoring and Telegram monitoring are not interchangeable.** They cover different operational tiers of the same threat landscape. A security team monitoring only dark web forums will miss the commodity credential market, the automation infrastructure for account takeover, and the malware distribution channels that operate primarily on Telegram. A team monitoring only Telegram misses the sophisticated, high-value operations that remain dark web-native.

The barrier to entry for criminal services has collapsed at the Telegram tier.** What previously required dark web operational security accessing commodity malware, purchasing stolen credentials, procuring account takeover services now requires a Telegram link and a small cryptocurrency payment. Threat actors who would have been filtered out by dark web friction now have functional access to a criminal services marketplace. The overall volume of threats is structurally higher as a result.

The two tiers communicate. Dark web forums reference Telegram channels. Telegram operators advertise on dark web marketplaces. Intelligence that lives only in one tier is incomplete intelligence. The ecosystem is integrated, even if the operational profiles of each tier are distinct.

The Real Threat Model

The dark web is not being replaced. It is being complemented by a vastly more accessible, vastly more automated parallel layer that handles the criminal activity that no longer requires its guarantees.

Together, the two tiers cover the full spectrum: the dark web handles sophisticated, high-anonymity, high-value operations; Telegram handles commodity, volume-driven, automated operations accessible to anyone. The combined surface is broader than either alone and the Telegram layer specifically represents a threat category that most organizational security frameworks were not designed to address, because it didn't exist at this scale five years ago.

We are not watching Telegram displace the dark web. We are watching a criminal infrastructure that has successfully specialized, with each tier handling the work it is best suited for. That is a more mature, more resilient threat landscape than the one we were modeling before.

This analysis is informed by the AS-CTI-2026-005 report "Telegram as Criminal Infrastructure: Ecosystem, Actors, and Emerging Threats," produced through longitudinal direct community observation. Part of the 30-report AS-CTI-2026 series by Aether Intel — Lead Analyst A-01. TLP:WHITE.

What tier of this ecosystem is your organization currently monitoring? Most threat intel programs I've seen cover one or the other, rarely both with equivalent depth.